Hi, I did not post any additional details, since I think none of it is relevant. I used mmc to configure the IIS. The file is accessible, so the IIS config is ok.
I don’t understand, why it says:
Preliminary validation looks good, but ACME will be more thorough…
and then times out with no information on what is checked additionally.

Unfortunately, it looks like the logs from win-acme aren’t detailed enough here. When an authorization fails, the certificate authority returns a message explaining why it failed. But here win-acme apparently received that message but failed to include it in the log. That makes it hard to be sure of the reason; it would be helpful to find a way to make win-acme create more verbose logs, if possible.

Last updated: July 27, 2017 | See all Documentation
CAA is a type of DNS record that allows site owners to specify which Certificate Authorities (CAs) are allowed to issue certificates containing their domain names. It was standardized in 2013 by RFC...

This document thoroughly explains the situation about CAA. The most relevant section may be

Since Let’s Encrypt checks CAA records before every certificate we issue, sometimes we get errors even for domains that haven’t set any CAA records. When we get an error, there’s no way to tell whether we are allowed to issue for the affected domain, since there could be CAA records present that forbid issuance, but are not visible because of the error. If you receive CAA-related errors, try a few more times against our staging environment to see if they are temporary or permanent. If they are permanent, you will need to file a support issue with your DNS provider, or switch providers. If you’re not sure who your DNS provider is, ask your hosting provider. Some DNS providers that are unfamiliar with CAA initially reply to problem reports with “We do not support CAA records.” Your DNS provider does not need to specifically support CAA records; it only needs to reply with a NOERROR response for unknown query types (including CAA). Returning other opcodes, including NOTIMP, for unrecognized qtypes is a violation of RFC 1035, and needs to be fixed.

@JuergenAuer Which tool did you use to analyse my DNS servers so detailed? Letsdebug just gives me a fatal error. I raised the issue with my DNS provide, but he did not give me detailed reply nor feedback.